updated 10:49 pm EDT, Mon August 5, 2013

Malware collects data about Tor users, forwards to FBI contractor

Following the arrest of a Freedom Hosting service provider supervisor in Ireland, whom law enforcement has referred to as "the largest facilitator of child porn on the planet," some reports have surfaced of a JavaScript exploit of vulnerabilities in the anonymizing Tor Browser bundle. The exploit compromises Firefox, and forces the browser to send the computer's regular IP address to a Verizon IP address along with information on Tor sites visited to a data farm located in Reston, Virginia that is associated with US law enforcement.

According to security researcher Brian Krebs, "Tor software protects users by bouncing their communications across a distributed network of relays run by volunteers all around the world. As the Tor homepage notes, it prevents anyone who might be watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets users access sites that are blocked by Internet censors."

Freedom Hosting, before its takedown, was the host for some of the Tor network's highest-traffic sites, including TorMail and the Hidden Wiki. Every site hosted by Freedom Hosting became inaccessible around 6:40AM EST on August 4.

Tor users are noting a "very large drop" in the number of 'onions,' or Tor-protected websites, due to the fall of Freedom Hosting. Other operators of Tor sites are finding JavaScript code embedded in sites, spreading the malware which sends identifying information to the Virginia data center. The center is managed by Science Applications International Corporation (SAIC), a US technology contractor known for doing work with the FBI. SAIC is headquartered not far away.

The Tor browser is based on Firefox 17. The current version of Firefox, version 22, is not susceptible to the vulnerability.

Claiming that Tor and similar anonymizer services are "only for criminals" is a massive oversimplification--there are real implications for people in countries like China with repressive governments that monitor and/or block all internet traffic, people who would rather the Google Adsense network wasn't tracking their every move, and even in the US, where we've learned that your activity might not be so unmonitored by the government as you think.

That said, the potential for abuse is massive, and the sad fact is that you have things like Tor being used to distribute child porn and Bitcoin used to pay for hacking services on blackhat sites or drugs and counterfeit stuff on Silkroad. Criminals needed an equivalent of cash and a back alley instead of credit cards and phones, and these technologies provide that.

How to deal with this is a big and real question, and I don't think it's as simple as "information wants to be free, child porn is the cost thereof".